DISA_STIG_Ubuntu_20.04_LTS_v1r5.audit from DISA Canonical Ubuntu 20.04 LTS v1r5 STIG

UBTU-20-010000 - The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less.

CAT|II

CCI|CCI-000016

Rule-ID|SV-238196r653763_rule

STIG-ID|UBTU-20-010000

Vuln-ID|V-238196

UBTU-20-010002 - The Ubuntu operating system must enable the graphical user logon banner to display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.

CCI|CCI-000048

Rule-ID|SV-238197r653766_rule

STIG-ID|UBTU-20-010002

Vuln-ID|V-238197

UBTU-20-010003 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.

Rule-ID|SV-238198r653769_rule

STIG-ID|UBTU-20-010003

Vuln-ID|V-238198

UBTU-20-010004 - The Ubuntu operating system must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.

CCI|CCI-000056

CCI|CCI-000057

Rule-ID|SV-238199r653772_rule

STIG-ID|UBTU-20-010004

Vuln-ID|V-238199

UBTU-20-010005 - The Ubuntu operating system must allow users to directly initiate a session lock for all connection types.

CCI|CCI-000058

CCI|CCI-000060

Rule-ID|SV-238200r653775_rule

STIG-ID|UBTU-20-010005

Vuln-ID|V-238200

UBTU-20-010006 - The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication.

CAT|I

CCI|CCI-000187

Rule-ID|SV-238201r832933_rule

STIG-ID|UBTU-20-010006

Vuln-ID|V-238201

UBTU-20-010007 - The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction.

CAT|III

CCI|CCI-000198

Rule-ID|SV-238202r653781_rule

STIG-ID|UBTU-20-010007

Vuln-ID|V-238202

UBTU-20-010008 - The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction.

CCI|CCI-000199

Rule-ID|SV-238203r653784_rule

STIG-ID|UBTU-20-010008

Vuln-ID|V-238203

UBTU-20-010009 - Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes.

CCI|CCI-000213

Rule-ID|SV-238204r832936_rule

STIG-ID|UBTU-20-010009

Vuln-ID|V-238204

UBTU-20-010010 - The Ubuntu operating system must uniquely identify interactive users.

CCI|CCI-000764

CCI|CCI-000804

Rule-ID|SV-238205r653790_rule

STIG-ID|UBTU-20-010010

Vuln-ID|V-238205

UBTU-20-010012 - The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group.

CCI|CCI-001084

Rule-ID|SV-238206r653793_rule

STIG-ID|UBTU-20-010012

Vuln-ID|V-238206

UBTU-20-010013 - The Ubuntu operating system must automatically terminate a user session after inactivity timeouts have expired.

CCI|CCI-002361

Rule-ID|SV-238207r653796_rule

STIG-ID|UBTU-20-010013

Vuln-ID|V-238207

UBTU-20-010014 - The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles.

CCI|CCI-002038

Rule-ID|SV-238208r653799_rule

STIG-ID|UBTU-20-010014

Vuln-ID|V-238208

UBTU-20-010016 - The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files.

CCI|CCI-000366

Rule-ID|SV-238209r653802_rule

STIG-ID|UBTU-20-010016

Vuln-ID|V-238209

UBTU-20-010033 - The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts - libpam-pkcs11

CCI|CCI-000765

CCI|CCI-000766

CCI|CCI-000767

CCI|CCI-000768

Rule-ID|SV-238210r653805_rule

STIG-ID|UBTU-20-010033

Vuln-ID|V-238210

UBTU-20-010033 - The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts - PubkeyAuthentication

UBTU-20-010035 - The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.

CCI|CCI-000877

Rule-ID|SV-238211r653808_rule

STIG-ID|UBTU-20-010035

Vuln-ID|V-238211

UBTU-20-010036 - The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity.

CCI|CCI-000879

Rule-ID|SV-238212r653811_rule

STIG-ID|UBTU-20-010036

Vuln-ID|V-238212

UBTU-20-010037 - The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic at the end of the session or after 10 minutes of inactivity.

CCI|CCI-001133

Rule-ID|SV-238213r653814_rule

STIG-ID|UBTU-20-010037

Vuln-ID|V-238213

UBTU-20-010038 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any local or remote connection to the system - banner text

CCI|CCI-001384

CCI|CCI-001385

CCI|CCI-001386

CCI|CCI-001387

CCI|CCI-001388

Rule-ID|SV-238214r832938_rule

STIG-ID|UBTU-20-010038

Vuln-ID|V-238214

UBTU-20-010038 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any local or remote connection to the system - sshd_config

UBTU-20-010042 - The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information - openssh-server

CCI|CCI-002418

CCI|CCI-002420

CCI|CCI-002422

Rule-ID|SV-238215r653820_rule

STIG-ID|UBTU-20-010042

Vuln-ID|V-238215

UBTU-20-010042 - The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information - sshd.service

UBTU-20-010043 - The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

CCI|CCI-001453

CCI|CCI-002421

CCI|CCI-002890

Rule-ID|SV-238216r654316_rule

STIG-ID|UBTU-20-010043

Vuln-ID|V-238216

UBTU-20-010044 - The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

CCI|CCI-000068

CCI|CCI-003123

Rule-ID|SV-238217r832940_rule

STIG-ID|UBTU-20-010044

Vuln-ID|V-238217

UBTU-20-010047 - The Ubuntu operating system must not allow unattended or automatic login via SSH - PermitEmptyPasswords

Rule-ID|SV-238218r653829_rule

STIG-ID|UBTU-20-010047

Vuln-ID|V-238218

UBTU-20-010047 - The Ubuntu operating system must not allow unattended or automatic login via SSH - PermitUserEnvironment

UBTU-20-010048 - The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.

Rule-ID|SV-238219r653832_rule

STIG-ID|UBTU-20-010048

Vuln-ID|V-238219

UBTU-20-010049 - The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.

Rule-ID|SV-238220r653835_rule

STIG-ID|UBTU-20-010049

Vuln-ID|V-238220

UBTU-20-010050 - The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.

CCI|CCI-000192

Rule-ID|SV-238221r653838_rule

STIG-ID|UBTU-20-010050

Vuln-ID|V-238221

UBTU-20-010051 - The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used.

CCI|CCI-000193

Rule-ID|SV-238222r653841_rule

STIG-ID|UBTU-20-010051

Vuln-ID|V-238222

UBTU-20-010052 - The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.

CCI|CCI-000194

Rule-ID|SV-238223r653844_rule

STIG-ID|UBTU-20-010052

Vuln-ID|V-238223

UBTU-20-010053 - The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.

CCI|CCI-000195

Rule-ID|SV-238224r653847_rule

STIG-ID|UBTU-20-010053

Vuln-ID|V-238224

UBTU-20-010054 - The Ubuntu operating system must enforce a minimum 15-character password length.

CCI|CCI-000205

Rule-ID|SV-238225r832942_rule

STIG-ID|UBTU-20-010054

Vuln-ID|V-238225

UBTU-20-010055 - The Ubuntu operating system must enforce password complexity by requiring that at least one special character be used.

CCI|CCI-001619

Rule-ID|SV-238226r653853_rule

STIG-ID|UBTU-20-010055

Vuln-ID|V-238226

UBTU-20-010056 - The Ubuntu operating system must prevent the use of dictionary words for passwords.

Rule-ID|SV-238227r653856_rule

STIG-ID|UBTU-20-010056

Vuln-ID|V-238227

UBTU-20-010057 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - enforcing

Rule-ID|SV-238228r653859_rule

STIG-ID|UBTU-20-010057

Vuln-ID|V-238228

UBTU-20-010057 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - libpam-pwquality

UBTU-20-010057 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used - retry

UBTU-20-010060 - The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

CCI|CCI-000185

Rule-ID|SV-238229r653862_rule

STIG-ID|UBTU-20-010060

Vuln-ID|V-238229

UBTU-20-010063 - The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

CCI|CCI-001948

Rule-ID|SV-238230r653865_rule

STIG-ID|UBTU-20-010063

Vuln-ID|V-238230

UBTU-20-010064 - The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.

CCI|CCI-001953

Rule-ID|SV-238231r653868_rule

STIG-ID|UBTU-20-010064

Vuln-ID|V-238231

UBTU-20-010065 - The Ubuntu operating system must electronically verify Personal Identity Verification (PIV) credentials.

Detections

Analytics

Revision 1.3

Apr 12, 2023

Functional Update

Miscellaneous